https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556927#M92155 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/136095">@ColinJacksonPS</a>&nbsp;</P><P>You can try following to send readOnly them to nullQueue. the REGEX matches "readOnly' = true in every event and if it find a match then those events won't be indexed. So make sure the readOnly events containing the operations/eventNAme that you do not want to index.</P><P>aws:cloudtrail is a default sourcetype when you set this in props.conf it applies to everything at platform level, instead if you want to limit to particular source/host use source:: , host:: type stanzas as provided here in example.</P><LI-CODE lang="markup">#props.conf [your_sourcetype/source::&lt;source&gt;/host::&lt;hostname&gt;] TRANSFORMS-nullq= setreadonlytonullQ #transforms.conf [setreadonlytonullQ] REGEX = \"readOnly\"\:\s+true DEST_KEY = queue FORMAT = nullQueue</LI-CODE><P>&nbsp;----</P><P>An upvote would be appreciated and accept solutions if it helps!</P> Thu, 24 Jun 2021 03:48:40 GMT venkatasri 2021-06-24T03:48:40Z https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556906#M92152 <P>Does anybody know a good way to filter out AWS Cloudtrail readonly events?</P><P>&nbsp;</P><P>This is what I have on my HF and jumping through hoops to get this on the IDM for Splunk Cloud.</P><P>&nbsp;</P><P><SPAN>[cloudtrail_read_only]</SPAN><BR /><SPAN>REGEX = "^Describe|Get|List\p{Lu}|LookupEvents"</SPAN><BR /><SPAN>DEST_KEY = queue</SPAN><BR /><SPAN>FORMAT = nullQueue</SPAN><BR /><BR /><BR /><SPAN>and this to props.conf:</SPAN><BR /><BR /><SPAN>[aws:cloudtrail]</SPAN><BR /><SPAN>#Strip out readOnly AWS events (i.e. Describe*, List*)</SPAN><BR /><SPAN>TRANSFORMS-cloudtrail_read_only = cloudtrail_read_only</SPAN></P><P>&nbsp;</P><P><SPAN>Doesn't seem to be filtering. Thoughts?</SPAN></P> Wed, 23 Jun 2021 22:40:11 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556906#M92152 ColinJacksonPS 2021-06-23T22:40:11Z https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556909#M92153 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/136095">@ColinJacksonPS</a>&nbsp;</P><P>Can you share sample event how it looks like covering Get*, List*, LookupEvents etc.. I am sure they don not start at very beginning of event since you mentioned ^ in regex which indicates very beginning of event.&nbsp; REGEX shall be changed to match with event.</P> Thu, 24 Jun 2021 00:29:51 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556909#M92153 venkatasri 2021-06-24T00:29:51Z https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556925#M92154 <P>Here's what I can share. If this is working, readOnly=true should return no results, or at least those listed.&nbsp; Raw, JSON formatted, and simple stats output.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-06-23 at 9.27.21 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14782i30042DB4A6B71F81/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2021-06-23 at 9.27.21 PM.png" alt="Screen Shot 2021-06-23 at 9.27.21 PM.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-06-23 at 9.26.57 PM.png" style="width: 977px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14784iF27F18270DE62F36/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2021-06-23 at 9.26.57 PM.png" alt="Screen Shot 2021-06-23 at 9.26.57 PM.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-06-23 at 9.27.11 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14783i40A7C6BA7FE1D070/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2021-06-23 at 9.27.11 PM.png" alt="Screen Shot 2021-06-23 at 9.27.11 PM.png" /></span></P> Thu, 24 Jun 2021 03:31:39 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556925#M92154 ColinJacksonPS 2021-06-24T03:31:39Z https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556927#M92155 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/136095">@ColinJacksonPS</a>&nbsp;</P><P>You can try following to send readOnly them to nullQueue. the REGEX matches "readOnly' = true in every event and if it find a match then those events won't be indexed. So make sure the readOnly events containing the operations/eventNAme that you do not want to index.</P><P>aws:cloudtrail is a default sourcetype when you set this in props.conf it applies to everything at platform level, instead if you want to limit to particular source/host use source:: , host:: type stanzas as provided here in example.</P><LI-CODE lang="markup">#props.conf [your_sourcetype/source::&lt;source&gt;/host::&lt;hostname&gt;] TRANSFORMS-nullq= setreadonlytonullQ #transforms.conf [setreadonlytonullQ] REGEX = \"readOnly\"\:\s+true DEST_KEY = queue FORMAT = nullQueue</LI-CODE><P>&nbsp;----</P><P>An upvote would be appreciated and accept solutions if it helps!</P> Thu, 24 Jun 2021 03:48:40 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/556927#M92155 venkatasri 2021-06-24T03:48:40Z https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/557266#M92218 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/136095">@ColinJacksonPS</a>&nbsp;Appreciate if you could accept the solution. Hope it helped for your case.</P> Sat, 26 Jun 2021 22:41:00 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-AWS-Cloudtrail-readonly-events/m-p/557266#M92218 venkatasri 2021-06-26T22:41:00Z